171792 – vsftpd nfs mounted home directory chroot shell fails

Bug 171792 - vsftpd nfs mounted home directory chroot shell fails

Summary: vsftpd nfs mounted home directory chroot shell fails

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	vsftpd
Sub Component:
Version:	4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Radek Vokál
QA Contact:	Mike McLean
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-10-26 15:19 UTC by R. Michael Richer
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-10-27 14:43:11 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description R. Michael Richer 2005-10-26 15:19:03 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

Description of problem:
Using SELINUX in permissive mode.  NFS Mounted home directories.  VSFTP with chroot shells.  Users fail to chroot to their home directories.  Unmounting the NFS and using local directories work alright.  Using NFS mounted directories with SSH, and local logins also works alright.  Using all of the above fails.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.6

How reproducible:
Always

Steps to Reproduce:
1.  NFS Mount Home Directories, Add Chroot local user options to vsftpd.
2.  Attempt to login via ftp.
3.
  

Actual Results:  Oops on chroot

Expected Results:  Successful login via FTP

Additional info:

getsebool -a |grep "nfs\|ftp"
=
allow_ftpd_anon_write --> inactive
ftp_home_dir --> active
ftpd_disable_trans --> active
ftpd_is_daemon --> active
nfs_export_all_ro --> active
nfs_export_all_rw --> active
nfsd_disable_trans --> inactive
tftpd_disable_trans --> inactive
use_nfs_home_dirs --> active
=

Comment 1 Daniel Walsh 2005-10-26 19:12:33 UTC

Are you saying that this does not work in permissive mode?  If yes this is
probably not an SELinux problem?

Comment 2 R. Michael Richer 2005-10-26 19:56:40 UTC

Nope... It doesn't work in enforced nor in permissive... However, if I disable
SELINUX completely, it works fine...

Comment 3 Daniel Walsh 2005-10-26 20:00:46 UTC

Are you seeing any avc messages?

I am not sure what you mean by chroot directories in VSFTP.

Do you mean you simple ftp to a machine with NFS Homedirs and login as a user,
and you can not read or write files in the homedir?

Comment 4 R. Michael Richer 2005-10-26 22:22:31 UTC

Nope.  I don't see any avc messages.

What I meant about chroot directories in VSFTP is shown with the following
directive in /etc/vsftpd/vsftpd.conf:

chroot_local_user=YES

Your last statement is almost 100% correct... up to the login as a user... The
login as a user fails because it can't chroot to the NFS directory and it kicks
you out immediately (so you can't even read or write files).
If you use non-NFS mounted directories, the "chrooting" works fine... users are
locked into there personal space..

Comment 5 R. Michael Richer 2005-10-27 13:23:34 UTC

Disabling SELinux also does not resolve the problem... So it looks like your
right.. it a vsftpd problem or an nfs problem... 
This bug should be relocated to vsftpd component, I'll do that now.

Comment 6 R. Michael Richer 2005-10-27 13:24:29 UTC

Bug reassigned to vsftpd component.

Comment 7 R. Michael Richer 2005-10-27 14:43:11 UTC

The NFS home directories are mounted as read-only.  This causes the chroot to
fail.  Remounting with read-write capabilities, permits the chroot.
Don't know how you want to classify this (as a bug or not..).  Perhaps just a
man-page update.  In either case, I remounted with read-write and my problems
are solved here..
Thanks

Note You need to log in before you can comment on or make changes to this bug.